Move away from nss-altfiles #108

New issue

Open

opened 2026-03-23 17:37:08 +00:00 by siosm · 1 comment

siosm commented 2026-03-23 17:37:08 +00:00

Owner

Copy link

Describe the enhancement

We have hit a lot of issues with how we split users between the configuration in the image (/usr/lib/passwd & group, /usr/etc/passwd, group, shadow & gshadow) and the local configuration (/etc/passwd, group, shadow & gshadow) using nss-altfiles:

• #90
• kde/tracker#684
• https://github.com/fedora-silverblue/issue-tracker/issues/362
• https://docs.fedoraproject.org/en-US/atomic-desktops/troubleshooting/#_unable_to_add_user_to_group
• kde/tracker#109 (comment)
• https://github.com/fedora-silverblue/issue-tracker/issues/597

The solution is mostly described by https://github.com/coreos/fedora-coreos-tracker/issues/1599: We should stop using nss-altfiles.

There are two main tasks to make that happen:

• Build images without nss-altfiles that work properly:
  • They should likely ship with a default copy of /usr/etc/passwd, group, shadow & gshadow, maybe only with a limited set of static users (the ones used by files & packages in the image)
  • And then use systemd-sysusers for the rest
• Create a migration path for existing systems to merge the config from the image into the local config, preserving local modifications.
  • This is probably something that would be good to put in bootc or rpm-ostree.

System details

No response

Additional information

See also:

• https://gitlab.com/fedora/bootc/tracker/-/work_items/50
• https://gitlab.com/fedora/bootc/tracker/-/work_items/31
• https://github.com/bootc-dev/bootc/issues/673
• https://github.com/bootc-dev/bootc/issues/1179
• https://github.com/bootc-dev/bootc/issues/1263
• https://github.com/coreos/rpm-ostree/issues/49
• https://github.com/coreos/fedora-coreos-tracker/issues/1599
• https://github.com/coreos/fedora-coreos-tracker/issues/155

### Describe the enhancement We have hit a lot of issues with how we split users between the configuration in the image (`/usr/lib/passwd` & `group`, `/usr/etc/passwd`, `group`, `shadow` & `gshadow`) and the local configuration (`/etc/passwd`, `group`, `shadow` & `gshadow`) using `nss-altfiles`: - https://forge.fedoraproject.org/atomic-desktops/tracker/issues/90 - https://forge.fedoraproject.org/kde/tracker/issues/684 - https://github.com/fedora-silverblue/issue-tracker/issues/362 - https://docs.fedoraproject.org/en-US/atomic-desktops/troubleshooting/#_unable_to_add_user_to_group - https://forge.fedoraproject.org/kde/tracker/issues/109#issuecomment-555155 - https://github.com/fedora-silverblue/issue-tracker/issues/597 The solution is mostly described by https://github.com/coreos/fedora-coreos-tracker/issues/1599: We should stop using `nss-altfiles`. There are two main tasks to make that happen: - Build images without `nss-altfiles` that work properly: - They should likely ship with a default copy of `/usr/etc/passwd`, `group`, `shadow` & `gshadow`, maybe only with a limited set of static users (the ones used by files & packages in the image) - And then use `systemd-sysusers` for the rest - Create a migration path for existing systems to merge the config from the image into the local config, preserving local modifications. - This is probably something that would be good to put in bootc or rpm-ostree. ### System details _No response_ ### Additional information See also: - https://gitlab.com/fedora/bootc/tracker/-/work_items/50 - https://gitlab.com/fedora/bootc/tracker/-/work_items/31 - https://github.com/bootc-dev/bootc/issues/673 - https://github.com/bootc-dev/bootc/issues/1179 - https://github.com/bootc-dev/bootc/issues/1263 - https://github.com/coreos/rpm-ostree/issues/49 - https://github.com/coreos/fedora-coreos-tracker/issues/1599 - https://github.com/coreos/fedora-coreos-tracker/issues/155

siosm added the

kind

enhancement

label 2026-03-23 17:37:08 +00:00

siosm referenced this issue 2026-03-23 17:38:29 +00:00

Workaround for files/folders owned by a dynamic UID/GID #90

siosm referenced this issue from kde/tracker 2026-03-23 17:38:35 +00:00

[Kinoite] Plasma Login issue with rawhide rebase #684

siosm referenced this issue from kde/tracker 2026-03-23 17:41:21 +00:00

List of known Kinoite bugs #112

siosm commented 2026-03-24 17:42:02 +00:00

Author

Owner

Copy link

Fedora bootc issue: https://gitlab.com/fedora/bootc/tracker/-/work_items/87

Fedora bootc issue: https://gitlab.com/fedora/bootc/tracker/-/work_items/87

siosm pinned this 2026-04-21 10:53:46 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

No results found.

Labels

Clear labels   

docs

Related to the documentation or needs documentation

  

kind

bug

Bug

  

kind

enhancement

Enhancement

  

kind

package-request

New package request

  

release

f40

Related to or impacting Fedora 40

  

release

f41

Related to or impacting Fedora 41

  

release

f42

Related to or impacting Fedora 42

  

release

f43

Related to or impacting Fedora 43

  

release

f44

Related to or impacting Fedora 44

  

release

f45

Related to or impacting Fedora 45

  

release/rawhide

Related to or impacting Fedora Rawhide

No labels

docs

kind

bug

kind

enhancement

kind

package-request

release

f40

release

f41

release

f42

release

f43

release

f44

release

f45

release/rawhide

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

atomic-desktops/tracker#108

No description provided.